1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * Solaris Audit Token Table. 31 */ 32 33 #include <locale.h> 34 35 #include <stdio.h> 36 #include <stdlib.h> 37 #include <string.h> 38 #include <bsm/audit.h> 39 #include <bsm/audit_record.h> 40 #include <bsm/libbsm.h> 41 42 #include "praudit.h" 43 #include "toktable.h" 44 45 token_desc_t tokentable[MAXTAG + 1]; 46 47 #define table_init(i, n, f, t) \ 48 tokentable[(int)(i)].t_name = (n); \ 49 tokentable[(int)(i)].t_tagname = (n); \ 50 tokentable[(int)(i)].func = (f); \ 51 tokentable[(int)(i)].t_type = (t); 52 53 /* table_initx is for entries which need name different from tagname */ 54 #define table_initx(i, n, tn, f, t) \ 55 tokentable[(int)(i)].t_name = (n); \ 56 tokentable[(int)(i)].t_tagname = (tn); \ 57 tokentable[(int)(i)].func = (f); \ 58 tokentable[(int)(i)].t_type = (t); 59 60 /* 61 * Initialize the table of tokens & other tags. 62 */ 63 void 64 init_tokens(void) 65 { 66 /* 67 * TRANSLATION_NOTE 68 * These names refer to different type of audit tokens. 69 * To gain a better understanding of each token, read the 70 * SunShield BSM Guide, part no. 802-1965-xx. 71 */ 72 73 (void) gettext("file"); /* to force out the translation note */ 74 75 /* 76 * Control token types 77 */ 78 79 table_init(AUT_INVALID, (char *)0, NOFUNC, T_UNKNOWN); 80 table_init(AUT_OTHER_FILE32, "file", file_token, T_EXTENDED); 81 table_init(AUT_OHEADER, "old_header", NOFUNC, T_EXTENDED); 82 table_init(AUT_TRAILER, "trailer", trailer_token, T_UNKNOWN); 83 table_initx(AUT_HEADER32, "header", "record", 84 header_token, T_EXTENDED); 85 table_initx(AUT_HEADER32_EX, "header", "record", 86 header32_ex_token, T_EXTENDED); 87 88 /* 89 * Data token types 90 */ 91 92 table_init(AUT_DATA, "arbitrary", arbitrary_data_token, T_EXTENDED); 93 table_init(AUT_IPC, "IPC", s5_IPC_token, T_ENCLOSED); 94 table_init(AUT_PATH, "path", path_token, T_ELEMENT); 95 table_init(AUT_XATPATH, "path_attr", path_attr_token, T_ELEMENT); 96 table_init(AUT_SUBJECT32, "subject", subject32_token, T_ENCLOSED); 97 table_init(AUT_PROCESS32, "process", process32_token, T_ENCLOSED); 98 table_init(AUT_RETURN32, "return", return_value32_token, T_ENCLOSED); 99 table_init(AUT_TEXT, "text", text_token, T_ELEMENT); 100 table_init(AUT_OPAQUE, "opaque", opaque_token, T_ELEMENT); 101 table_initx(AUT_IN_ADDR, "ip address", "ip_address", 102 ip_addr_token, T_ELEMENT); 103 table_init(AUT_IP, "ip", ip_token, T_ENCLOSED); 104 table_initx(AUT_IPORT, "ip port", "ip_port", 105 iport_token, T_ELEMENT); 106 table_init(AUT_ARG32, "argument", argument32_token, T_ENCLOSED); 107 table_initx(AUT_SOCKET, "socket", "old_socket", 108 socket_token, T_ENCLOSED); 109 table_init(AUT_SEQ, "sequence", sequence_token, T_ENCLOSED); 110 table_init(AUT_ZONENAME, "zone", zonename_token, T_ENCLOSED); 111 112 /* 113 * Modifier token types 114 */ 115 116 table_init(AUT_ACL, "acl", acl_token, T_ENCLOSED); 117 table_init(AUT_ATTR, "attribute", attribute_token, T_ENCLOSED); 118 table_init(AUT_IPC_PERM, "IPC_perm", s5_IPC_perm_token, T_ENCLOSED); 119 table_initx(AUT_LABEL, "cmw label", "cmw_label", 120 NOFUNC, T_UNKNOWN); 121 table_init(AUT_GROUPS, "group", group_token, T_ELEMENT); 122 table_initx(AUT_ILABEL, "information label", "information_label", 123 ilabel_token, T_ELEMENT); 124 table_initx(AUT_SLABEL, "sensitivity label", "sensitivity_label", 125 slabel_token, T_ELEMENT); 126 table_init(AUT_CLEAR, "clearance", clearance_token, T_ELEMENT); 127 table_init(AUT_PRIV, "privilege", privilege_token, T_EXTENDED); 128 table_initx(AUT_UPRIV, "use of privilege", "use_of_privilege", 129 useofpriv_token, T_EXTENDED); 130 table_init(AUT_LIAISON, "liaison", liaison_token, T_ELEMENT); 131 table_init(AUT_NEWGROUPS, "group", newgroup_token, T_ELEMENT); 132 table_init(AUT_EXEC_ARGS, "exec_args", exec_args_token, T_ELEMENT); 133 table_init(AUT_EXEC_ENV, "exec_env", exec_env_token, T_ELEMENT); 134 table_init(AUT_ATTR32, "attribute", attribute32_token, T_ENCLOSED); 135 table_initx(AUT_UAUTH, "use of authorization", 136 "use_of_authorization", useofauth_token, T_ELEMENT); 137 table_init(AUT_TID, "tid", tid_token, T_EXTENDED); 138 139 /* 140 * X windows token types 141 */ 142 table_initx(AUT_XATOM, "X atom", "X_atom", xatom_token, T_ELEMENT); 143 table_initx(AUT_XOBJ, "X object", "X_object", NOFUNC, T_UNKNOWN); 144 table_initx(AUT_XPROTO, "X protocol", "X_protocol", NOFUNC, T_UNKNOWN); 145 table_initx(AUT_XSELECT, "X selection", "X_selection", 146 xselect_token, T_ELEMENT); 147 table_initx(AUT_XCOLORMAP, "X color map", "X_color_map", 148 xcolormap_token, T_ENCLOSED); 149 table_initx(AUT_XCURSOR, "X cursor", "X_cursor", 150 xcursor_token, T_ENCLOSED); 151 table_initx(AUT_XFONT, "X font", "X_font", xfont_token, T_ENCLOSED); 152 table_initx(AUT_XGC, "X graphic context", "X_graphic_context", 153 xgc_token, T_ENCLOSED); 154 table_initx(AUT_XPIXMAP, "X pixmap", "X_pixmap", 155 xpixmap_token, T_ENCLOSED); 156 table_initx(AUT_XPROPERTY, "X property", "X_property", 157 xproperty_token, T_EXTENDED); 158 table_initx(AUT_XWINDOW, "X window", "X_window", 159 xwindow_token, T_ENCLOSED); 160 table_initx(AUT_XCLIENT, "X client", "X_client", 161 xclient_token, T_ELEMENT); 162 163 /* 164 * Command token types 165 */ 166 167 table_init(AUT_CMD, "cmd", cmd_token, T_ELEMENT); 168 table_init(AUT_EXIT, "exit", exit_token, T_ENCLOSED); 169 170 /* 171 * Miscellaneous token types 172 */ 173 174 table_init(AUT_HOST, "host", host_token, T_ELEMENT); 175 176 /* 177 * Solaris64 token types 178 */ 179 180 table_init(AUT_ARG64, "argument", argument64_token, T_ENCLOSED); 181 table_init(AUT_RETURN64, "return", return_value64_token, T_ENCLOSED); 182 table_init(AUT_ATTR64, "attribute", attribute64_token, T_ENCLOSED); 183 table_initx(AUT_HEADER64, "header", "record", 184 header64_token, T_EXTENDED); 185 table_init(AUT_SUBJECT64, "subject", subject64_token, T_ENCLOSED); 186 table_init(AUT_PROCESS64, "process", process64_token, T_ENCLOSED); 187 table_init(AUT_OTHER_FILE64, "file", file64_token, T_EXTENDED); 188 189 /* 190 * Extended network address token types 191 */ 192 193 table_initx(AUT_HEADER64_EX, "header", "record", 194 header64_ex_token, T_EXTENDED); 195 table_init(AUT_SUBJECT32_EX, "subject", subject32_ex_token, T_ENCLOSED); 196 table_init(AUT_PROCESS32_EX, "process", process32_ex_token, T_ENCLOSED); 197 table_init(AUT_SUBJECT64_EX, "subject", subject64_ex_token, T_ENCLOSED); 198 table_init(AUT_PROCESS64_EX, "process", process64_ex_token, T_ENCLOSED); 199 table_initx(AUT_IN_ADDR_EX, "ip address", "ip_address", 200 ip_addr_ex_token, T_ELEMENT); 201 table_init(AUT_SOCKET_EX, "socket", socket_ex_token, T_ENCLOSED); 202 203 #ifdef _PRAUDIT 204 /* 205 * Done with tokens above here. Now do remaining tags. 206 */ 207 table_init(TAG_AUID, "audit-uid", pa_pw_uid, T_ATTRIBUTE); 208 table_init(TAG_UID, "uid", pa_pw_uid, T_ATTRIBUTE); 209 table_init(TAG_GID, "gid", pa_gr_uid, T_ATTRIBUTE); 210 table_init(TAG_RUID, "ruid", pa_pw_uid, T_ATTRIBUTE); 211 table_init(TAG_RGID, "rgid", pa_gr_uid, T_ATTRIBUTE); 212 213 table_init(TAG_PID, "pid", pa_adr_u_int32, T_ATTRIBUTE); 214 table_init(TAG_SID, "sid", pa_adr_u_int32, T_ATTRIBUTE); 215 216 table_init(TAG_TID32, "tid", pa_tid32, T_ATTRIBUTE); 217 table_init(TAG_TID64, "tid", pa_tid64, T_ATTRIBUTE); 218 table_init(TAG_TID32_EX, "tid", pa_tid32_ex, T_ATTRIBUTE); 219 table_init(TAG_TID64_EX, "tid", pa_tid64_ex, T_ATTRIBUTE); 220 table_init(TAG_TID_TYPE, "type", NOFUNC, T_ATTRIBUTE); 221 table_init(TAG_IP, "ipadr", NOFUNC, T_ENCLOSED); 222 table_init(TAG_IP_LOCAL, "local-port", pa_adr_u_short, T_ATTRIBUTE); 223 table_init(TAG_IP_REMOTE, "remote-port", pa_adr_u_short, T_ATTRIBUTE); 224 table_init(TAG_IP_ADR, "host", pa_ip_addr, T_ATTRIBUTE); 225 226 table_initx(TAG_EVMOD, "event-modifier", "modifier", 227 pa_event_modifier, T_ATTRIBUTE); 228 table_initx(TAG_EVTYPE, "event-type", "event", 229 pa_event_type, T_ATTRIBUTE); 230 table_initx(TAG_TOKVERS, "token-version", "version", 231 pa_adr_byte, T_ATTRIBUTE); 232 233 table_init(TAG_ISO, "iso8601", NOFUNC, T_ATTRIBUTE); 234 235 table_init(TAG_ERRVAL, "errval", NOFUNC, T_ATTRIBUTE); 236 table_init(TAG_RETVAL, "retval", pa_adr_int32, T_ATTRIBUTE); 237 238 table_init(TAG_SETTYPE, "set-type", pa_adr_string, T_ATTRIBUTE); 239 /* Sub-element of groups & newgroups token: */ 240 table_init(TAG_GROUPID, "gid", pa_gr_uid, T_ELEMENT); 241 242 table_init(TAG_XID, "xid", pa_xid, T_ATTRIBUTE); 243 table_init(TAG_XCUID, "xcreator-uid", pa_pw_uid, T_ATTRIBUTE); 244 245 table_init(TAG_XSELTEXT, "x_sel_text", pa_adr_string, T_ELEMENT); 246 table_init(TAG_XSELTYPE, "x_sel_type", pa_adr_string, T_ELEMENT); 247 table_init(TAG_XSELDATA, "x_sel_data", pa_adr_string, T_ELEMENT); 248 249 table_init(TAG_ARGNUM, "arg-num", pa_adr_byte, T_ATTRIBUTE); 250 table_init(TAG_ARGVAL32, "value", pa_adr_int32hex, T_ATTRIBUTE); 251 table_init(TAG_ARGVAL64, "value", pa_adr_int64hex, T_ATTRIBUTE); 252 table_init(TAG_ARGDESC, "desc", pa_adr_string, T_ATTRIBUTE); 253 254 table_init(TAG_MODE, "mode", pa_mode, T_ATTRIBUTE); 255 table_init(TAG_FSID, "fsid", pa_adr_int32, T_ATTRIBUTE); 256 table_init(TAG_NODEID32, "nodeid", pa_adr_int32, T_ATTRIBUTE); 257 table_init(TAG_NODEID64, "nodeid", pa_adr_int64, T_ATTRIBUTE); 258 table_init(TAG_DEVICE32, "device", pa_adr_u_int32, T_ATTRIBUTE); 259 table_init(TAG_DEVICE64, "device", pa_adr_u_int64, T_ATTRIBUTE); 260 261 table_init(TAG_SEQNUM, "seq-num", pa_adr_u_int32, T_ATTRIBUTE); 262 table_init(TAG_ZONENAME, "name", pa_adr_string, T_ATTRIBUTE); 263 table_init(TAG_ARGV, "argv", pa_cmd, T_ELEMENT); 264 table_init(TAG_ARGE, "arge", pa_cmd, T_ELEMENT); 265 table_init(TAG_ARG, "arg", pa_string, T_ELEMENT); 266 table_init(TAG_ENV, "env", pa_string, T_ELEMENT); 267 table_init(TAG_XAT, "xattr", pa_string, T_ELEMENT); 268 269 table_init(TAG_RESULT, "result", NOFUNC, T_ATTRIBUTE); 270 table_init(TAG_CUID, "creator-uid", pa_pw_uid, T_ATTRIBUTE); 271 table_init(TAG_CGID, "creator-gid", pa_gr_uid, T_ATTRIBUTE); 272 table_init(TAG_SEQ, "seq", pa_adr_u_int32, T_ATTRIBUTE); 273 table_init(TAG_KEY, "key", pa_adr_int32hex, T_ATTRIBUTE); 274 275 table_init(TAG_IPVERS, "version", pa_adr_charhex, T_ATTRIBUTE); 276 table_init(TAG_IPSERV, "service_type", pa_adr_charhex, T_ATTRIBUTE); 277 table_init(TAG_IPLEN, "len", pa_adr_short, T_ATTRIBUTE); 278 table_init(TAG_IPID, "id", pa_adr_u_short, T_ATTRIBUTE); 279 table_init(TAG_IPOFFS, "offset", pa_adr_u_short, T_ATTRIBUTE); 280 table_init(TAG_IPTTL, "time_to_live", pa_adr_charhex, T_ATTRIBUTE); 281 table_init(TAG_IPPROTO, "protocol", pa_adr_charhex, T_ATTRIBUTE); 282 table_init(TAG_IPCKSUM, "cksum", pa_adr_u_short, T_ATTRIBUTE); 283 table_init(TAG_IPSRC, "src_addr", pa_adr_int32hex, T_ATTRIBUTE); 284 table_init(TAG_IPDEST, "dest_addr", pa_adr_int32hex, T_ATTRIBUTE); 285 286 table_init(TAG_ACLTYPE, "type", NOFUNC, T_ATTRIBUTE); 287 table_init(TAG_ACLVAL, "value", NOFUNC, T_ATTRIBUTE); 288 table_init(TAG_SOCKTYPE, "type", pa_adr_shorthex, T_ATTRIBUTE); 289 table_init(TAG_SOCKPORT, "port", pa_adr_shorthex, T_ATTRIBUTE); 290 table_init(TAG_SOCKADDR, "addr", NOFUNC, T_ATTRIBUTE); 291 292 table_init(TAG_SOCKEXDOM, "sock_domain", pa_adr_shorthex, T_ATTRIBUTE); 293 table_init(TAG_SOCKEXTYPE, "sock_type", pa_adr_shorthex, T_ATTRIBUTE); 294 table_init(TAG_SOCKEXLPORT, "lport", NOFUNC, T_ATTRIBUTE); 295 table_init(TAG_SOCKEXLADDR, "laddr", NOFUNC, T_ATTRIBUTE); 296 table_init(TAG_SOCKEXFPORT, "fport", NOFUNC, T_ATTRIBUTE); 297 table_init(TAG_SOCKEXFADDR, "faddr", NOFUNC, T_ATTRIBUTE); 298 299 table_init(TAG_IPCTYPE, "ipc-type", NOFUNC, T_ATTRIBUTE); 300 table_init(TAG_IPCID, "ipc-id", pa_adr_int32, T_ATTRIBUTE); 301 302 table_init(TAG_ARBPRINT, "print", NOFUNC, T_ATTRIBUTE); 303 table_init(TAG_ARBTYPE, "type", NOFUNC, T_ATTRIBUTE); 304 table_init(TAG_ARBCOUNT, "count", NOFUNC, T_ATTRIBUTE); 305 306 table_init(TAG_HOSTID, "host", NOFUNC, T_ATTRIBUTE); 307 #endif /* _PRAUDIT */ 308 } 309